Sectin 1: Overview 3 NetScaler Summary 3 NetScaler AAA-TM Mdule 3 Traffic Management 3 Unified Gateway 3 Authenticatin Overview: 4 Passwrd Changes 5 One Public IP fr AAA-TM Deplyments n NetScaler 6 Limitatins and Usage Guidelines 6 SAML 2.0 SaaS Applicatins 7 Why SAML? 7 ADFS Hybrid Clud Integratin 8 ADFS Prxy Mde 8 ADFS IDP Mde 9 NetScaler Multi-Factr (nfactr) Authenticatin 9 Custmer Enterprise Applicatins 10 Sectin 2: Cnfiguratin Steps 11 Unified Gateway fr Hsted Windws Applicatins 11 NetScaler Gateway deplyed in the secure netwrk 11 SAML Identity Prvider (IdP) Mde 12 Nte: 12 Nte: 13 ADFS Prxy Mde Cnfiguratin 14
Citrix NetScaler is an all-in-ne applicatin delivery cntrller that makes applicatins run up t five times better, reduces applicatin wnership csts, ptimizes the user experience and ensures that applicatins are always available by using: Advanced L4-7 lad balancing and traffic management Prven applicatin acceleratin such as HTTP cmpressin and caching An integrated applicatin firewall fr applicatin security Server fflading t significantly reduce csts and cnslidate servers As an undisputed leader f service and applicatin delivery, Citrix NetScaler is deplyed in thusands f netwrks arund the wrld t ptimize, secure and cntrl the delivery f all enterprise and clud services. Deplyed directly in frnt f web and database servers, NetScaler cmbines high-speed lad balancing and cntent switching, http cmpressin, cntent caching, SSL acceleratin, applicatin flw visibility and a pwerful applicatin firewall int an integrated, easy-t-use platfrm. Meeting SLAs is greatly simplified with end-t-end mnitring that transfrms netwrk data int actinable business intelligence. NetScaler allws plicies t be defined and managed using a simple declarative plicy engine with n prgramming expertise required. AAA prvides security fr a distributed Internet envirnment by allwing any client with the prper credentials t cnnect securely t prtected applicatin servers frm anywhere n the Internet. This feature incrprates the three security features f authenticatin, authrizatin, and auditing. Authenticatin enables the NetScaler ADC t verify the client's credentials, either lcally r with a third-party authenticatin server, and allw nly apprved users t access prtected servers. Authrizatin enables the ADC t verify which cntent n a prtected server it shuld allw each user t access. Auditing enables the ADC t keep a recrd f each user's activity n a prtected server. Enterprises can nw achieve federatin and single sign-n acrss enterprise, Web, SaaS and n-premises virtual applicatins and desktps via NetScaler Unified Gateway. NetScaler Unified Gateway leverages its Authenticatin, Authrizatin and Auditing (AAA) features with cntent switching t enable users t access all their authrized enterprise applicatins thrugh a single gateway and URL. Organizatins deplying NetScaler tday fr their XenApp and Xen Desktp infrastructure can easily expand its functinality fr single sign-n acrss enterprise legacy, Web, virtual and public, private and hybrid clud applicatins. Custmers using third-party single sign-n and applicatin delivery slutins and gateways can deply a single slutin fr all their single sign-n needs by cnslidating n NetScaler Unified Gateway. All existing authenticatin mechanisms that wrk with NetScaler Gateway wrk with Unified Gateway. These include LDAP, RADIUS, SAML, Kerbers, Certificate based Authenticatin, and s n.
All existing authenticatin mechanisms that wrk with NetScaler Gateway wrk with Unified Gateway. These include LDAP, RADIUS, SAML, Kerbers, Certificate based Authenticatin, and s n. Whatever authenticatin mechanism is cnfigured n NetScaler Gateway virtual server befre the upgrade is used autmatically used when the NetScaler Gateway virtual server is placed behind the Unified Gateway virtual server. There are n additinal cnfiguratin steps invlved, ther than assigning a nn-addressable IP address (0.0.0.0) t NetScaler Gateway virtual server. T understand hw AAA wrks in a distributed envirnment, cnsider an rganizatin with an intranet that its emplyees access in the ffice, at hme, and when traveling. The cntent n the intranet is cnfidential and requires secure access. Any user wh wants t access the intranet must have a valid user name and passwrd. T meet these requirements, the ADC des the fllwing: Redirects the user t the lgin page if the user accesses the intranet withut having lgged in. Cllects the user's credentials, delivers them t the authenticatin server, and caches them in a directry that is accessible thrugh LDAP. Verifies that the user is authrized t access specific intranet cntent befre delivering the user's request t the applicatin server. Maintains a sessin timeut after which users must authenticate again t regain access t the intranet. (Yu can cnfigure the timeut.) Lgs the user accesses, including invalid lgin attempts, in an audit lg. Authenticatin requires that several entities: the client, the NetScaler appliance, the external authenticatin server if ne is used, and the applicatin server, respnd t each ther when prmpted by perfrming a cmplex series f tasks in the crrect rder. When an authenticated client requests a resurce, the ADC, befre sending the request t the applicatin server, checks the user and grup plicies assciated with the client accunt, t verify that the client is authrized t access that resurce. The ADC handles all authrizatin n prtected applicatin servers. Yu d nt need t d any special cnfiguratin f yur prtected applicatin servers.
AAA-TM handles passwrd changes fr users by using the prtcl-specific methd fr the authenticatin server. Fr mst prtcls, neither the user nr the administratr needs t d anything different than they wuld withut AAA-TM. Even when an LDAP authenticatin server is in use, and that server is part f a distributed netwrk f LDAP servers with a single designated dmain administratin server, passwrd changes are usually handled seamlessly. When an authenticated client f an LDAP server changes his r her passwrd, the client sends a credential mdify request t AAA-TM, which frwards it t the LDAP server. If the user's LDAP server is als the dmain administratin server, that server respnds apprpriately and AAA-TM then perfrms the requested passwrd change. Otherwise, the LDAP server sends AAA-TM an LDAP_REFERRAL respnse t the dmain administratin server. AAA-TM fllws the referral t the indicated dmain administratin server, authenticates t that server, and perfrms the passwrd change n that server. Nte: When cnfiguring AAA-TM with an LDAP authenticatin server, the system administratr must keep the fllwing cnditins and limitatins in mind: AAA-TM assumes that the dmain administratin server in the referral accepts the same bind credentials as the riginal server. AAA-TM nly fllws LDAP referrals fr passwrd change peratins. In ther cases AAA-TM refuses t fllw the referral. AAA-TM nly fllws ne level f LDAP referrals. If the secnd LDAP server als returns a referral, AAA- TM refuses t fllw the secnd referral. Audit / Lgging Supprt The ADC supprts auditing f all states and status infrmatin, s yu can see the details f what each user did while lgged n, in chrnlgical rder. T prvide this infrmatin, the appliance lgs
each event, as it ccurs, either t a designated audit lg file n the appliance r t a syslg server. Auditing requires cnfiguring the appliance and any syslg server that yu use. Authenticatin Matrix NetScaler supprts AAA framewrk fr Traffic Management (TM) virtual servers (hencefrth called vserver) by leveraging varius AAA features supprted by authenticatin subsystem. The server used fr authenticatin is called "authenticatin vserver" r AAA vserver. NetScaler can cnslidate the abve picture t ne public endpint by having authenticatin vserver slide adjacent t TM vserver s that there is ne public end pint, and in turn ne certificate. This is depicted in the fllwing diagram: Windws Hsted Applicatins by XenApp and XenDesktp Yu can deply NetScaler Gateway at the perimeter f yur rganizatin s internal netwrk (r intranet) t prvide a secure single pint f access t the servers, applicatins, and ther netwrk resurces that reside in the internal netwrk. All remte users must cnnect t NetScaler Gateway befre they can access any resurces in the internal netwrk.
NetScaler Gateway is mst cmmnly installed in the fllwing lcatins in a netwrk: In the netwrk DMZ In a secure netwrk that des nt have a DMZ Yu can als deply NetScaler Gateway with XenApp, XenDesktp, StreFrnt, and XenMbile Server t allw users t access their Windws, web, mbile, and SaaS applicatins. If yur deplyment includes XenApp, StreFrnt, r XenDesktp 7, yu can deply NetScaler Gateway in a single-hp r duble-hp DMZ cnfiguratin. A duble-hp deplyment is nt supprted with earlier versins f XenDesktp r XenMbile App Editin. Security Assertin Markup Language (SAML) is an XML-based authenticatin mechanism that prvides single sign-n capability and is defined by the OASIS Security Services Technical Cmmittee. Cnsider a scenari in which a service prvider (LargePrvider) hsts a number f applicatins fr a custmer (BigCmpany). BigCmpany has users that must seamlessly access these applicatins. In a traditinal setup, LargePrvider wuld need t maintain a database f users f BigCmpany. This raises sme cncerns fr each f the fllwing stakehlders: LargePrvider must ensure security f user data. BigCmpany must validate the users and keep the user data up-t-date, nt just in its wn database, but als in the user database maintained by LargePrvider. Fr example, a user remved frm the BigCmpany database must als be remved frm the LargePrvider database. A user has t lg n individually t each f the hsted applicatins. The SAML authenticatin mechanism prvides an alternative apprach. The fllwing deplyment diagram shws hw SAML wrks. The cncerns raised by traditinal authenticatin mechanisms are reslved as fllws: LargePrvider des nt have t maintain a database fr BigCmpany users. Freed frm identity management, Large Prvider can cncentrate n prviding better services.
BigCmpany des nt bear the burden f making sure the LargePrvider user database is kept in sync with its wn user database. A user can lg n nce, t ne applicatin hsted n LargePrvider, and be autmatically lgged n t the ther applicatins that are hsted there. The NetScaler appliance can be deplyed as a SAML Service Prvider (SP) and a SAML Identity Prvider (IdP). Read thrugh the relevant tpics t understand the cnfiguratins that must be perfrmed n the NetScaler appliance. AD FS is a standards-based service that allws the secure sharing f identity infrmatin between trusted business partners (knwn as a federatin) acrss an extranet. When a user needs t access a Web applicatin frm ne f its federatin partners, the user's wn rganizatin is respnsible fr authenticating the user and prviding identity infrmatin in the frm f "claims" t the partner that hsts the Web applicatin. The hsting partner uses its trust plicy t map the incming claims t claims that are understd by its Web applicatin, which uses the claims t make authrizatin decisins. Active Directry Federatin Services (AD FS) makes it pssible fr lcal users and federated users t use claims-based single sign-n (SSO) t Web sites and services. Yu can use AD FS t enable yur rganizatin t cllabrate securely acrss Active Directry dmains with ther external rganizatins by using identity federatin. This reduces the need fr duplicate accunts, management f multiple lgns, and ther credential management issues that can ccur when yu establish crss-rganizatinal trusts. The AD FS 2.0 Prxy is a service that brkers a cnnectin between external users and yur internal AD FS 2.0 server. It acts as a reverse prxy and typically resides in yur rganizatin s perimeter netwrk (aka DMZ). As far as the user is cncerned, they d nt knw they are talking t an AD FS prxy server, as the federatin services are accessed by the same URLs. The prxy server handles three primary functins. Assertin prvider: The prxy accepts tken requests frm users and passes the infrmatin ver SSL (default prt 443) t the internal AD FS server. It receives the tken frm the internal AD FS server and passes it back t the user. Assertin cnsumer: The prxy accepts tkens frm users and passes them ver SSL (default prt 443) t the internal AD FS server fr prcessing. Metadata prvider: The prxy will als respnd t requests fr Federatin Metadata. The AD FS 2.0 Prxy is nt a requirement fr using AD FS; it is an additinal feature. The reasn yu wuld install an AD FS 2.0 Prxy is yu d nt want t expse the actual AD FS 2.0 server t the Internet. AD FS 2.0 servers are dmain jined resurces, while the AD FS 2.0 Prxy des nt have that requirement. If all yur users and applicatins are internal t yur netwrk, yu d nt need t use an AD FS 2.0 Prxy. If there is a requirement t expse yur federatin service t the Internet, it is a best practice t use an AD FS 2.0 Prxy. https://blgs.technet.micrsft.cm/askds/2012/01/05/understanding-the-ad-fs-2-0-prxy/
The federated partner's Identity Prvider (IP) sends claims that reflect its users' identity, grups, and attribute data. Therefre, yur rganizatin n lnger needs t revke, change, r reset the credentials fr the partner's users, since the credentials are managed by the partner rganizatin. Additinally, if a partnership needs t be terminated, it can be perfrmed with a single trust plicy change. Withut AD FS, individual accunts fr each partner user wuld need t be deactivated. Cnfiguring as the identity prvider enables reusing existing accunts managed by existing Active Directry bjects fr authenticatin. It eliminates the need fr either building cmplex accunt synchrnizatin mechanisms r develping custm cde that perfrms the tasks f accepting end user credentials, validating them against the credentials stre, and managing the identities. https://msdn.micrsft.cm/en-us/library/bb897402.aspx nfactr gives a fresh perspective t authenticatin, streamlines the authenticatin flw and prvides great flexibility during authenticatin Multi-factr authenticatin enhances the security f an applicatin by requiring users t prvide multiple prfs f identify t gain access. The NetScaler appliance prvides an extensible and flexible apprach t cnfiguring multi-factr authenticatin. This apprach is called nfactr authenticatin. With nfactr authenticatin yu can: Cnfigure any number f authenticatin factrs. Base the selectin f the next factr n the result f executing the previus factr. Custmize the lgin interface. Fr example, yu can custmize the label names, errr messages, and help text. Extract user grup infrmatin withut ding authenticatin. Cnfigure pass-thrugh fr an authenticatin factr. This means that n explicit lgin interactin is required fr that factr. Cnfigure the rder in which different types f authenticatin are applied. Any f the authenticatin mechanisms that are supprted n the NetScaler appliance can be cnfigured as any factr f the nfactr authenticatin setup. These factrs are executed in the rder in which they are cnfigured. Cnfigure the NetScaler t prceed t an authenticatin factr that must be executed when authenticatin fails. T d s, yu cnfigure anther authenticatin plicy with the exact same cnditin, but with the next highest pririty and with the actin set t "NO_AUTH". Yu must als cnfigure the next factr, which must specify the alternative authenticatin mechanism t apply.
Adaptive Multi-Factr Authenticatin (MFA) fr tighter security Enterprises have several stakehlders using their applicatins and data. Emplyees, partners, vendrs and several thers wh need t access t apps and data frm a variety f lcatins and using a variety f devices. Enterprises needed a way t authenticate different grup f users in different ways. While different Gateways can be used fr different grups f users, the maintenance and cnsistency in experience will be impacted with this apprach. SSO: NetScaler supprts all SSO prtcls SAML, Kerbers, KCD, frm-based, 401/NTLM. NetScaler supprts SAML prtcl and can play the SAML IDP rle (use case 1. abve) as well as SAML SP rle (use case 2. abve). Hst Prfiling: NetScaler supprts endpint analysis (EPA) feature which is used fr hst prfile checks. EPA can be used t grant quarantined access in case user is nt meeting security checks necessary fr full access. Cmpliance Auditing: NetScaler supprts a wide range f auditing mechanisms like Appflw, Syslg and user-defined lgging.
Sectin 2: Cnfiguratin Steps Unified Gateway fr Hsted Windws Applicatins Netwrk Architecture(s) When yu deply NetScaler Gateway in the DMZ, user cnnectins must traverse the first firewall t cnnect t NetScaler Gateway. By default, user cnnectins use SSL n prt 443 t establish this cnnectin. T allw user cnnectins t reach the internal netwrk, yu must allw SSL n prt 443 thrugh the first firewall. NetScaler Gateway decrypts the SSL cnnectins frm the user device and establishes a cnnectin n behalf f the user t the netwrk resurces behind the secnd firewall. The prts that must be pen thrugh the secnd firewall are dependent n the netwrk resurces that yu authrize external users t access. Fr example, if yu authrize external users t access a web server in the internal netwrk, and this server listens fr HTTP cnnectins n prt 80, yu must allw HTTP n prt 80 thrugh the secnd firewall. NetScaler Gateway establishes the cnnectin thrugh the secnd firewall t the HTTP server n the internal netwrk n behalf f the external user devices. When yu deply NetScaler Gateway in the secure netwrk, cnnect ne interface n NetScaler Gateway t the Internet and the ther interface t servers running in the secure netwrk. Putting NetScaler Gateway in the secure netwrk prvides access fr lcal and remte users. Because this cnfiguratin nly has ne firewall, hwever, makes the deplyment less secure fr users cnnecting frm a remte lcatin. Althugh NetScaler Gateway intercepts traffic frm the Internet, the traffic
enters the secure netwrk befre users are authenticated. When NetScaler Gateway is deplyed in a DMZ, users are authenticated befre netwrk traffic reaches the secure netwrk. When NetScaler Gateway is deplyed in the secure netwrk, NetScaler Gateway Plug-in cnnectins must traverse the firewall t cnnect t NetScaler Gateway. By default, user cnnectins use the SSL prtcl n prt 443 t establish this cnnectin. T supprt this cnnectivity, yu must pen prt 443 n the firewall. SAML Identity Prvider (IdP) Mde The SAML IdP (Identity Prvider) is a SAML entity that is deplyed n the custmer netwrk. The IdP receives requests frm the SAML SP and redirects users t a lgn page, where they must enter their credentials. The IdP authenticates these credentials with the user directry (external authenticatin server, such as LDAP) and then generates a SAML assertin that is sent t the SP. The SP validates the tken, and the user is then granted access t the requested prtected applicatin. When the NetScaler appliance is cnfigured as an IdP, all requests are received by an authenticatin virtual server that is assciated with the relevant SAML IdP prfile. A NetScaler appliance can be used as a IdP in a deplymsent where the SAML SP is cnfigured either n the appliance r n any external SAML SP. When used as a SAML IdP, a NetScaler appliance: Supprts all authenticatin methds that it supprts fr traditinal lgns. Digitally signs assertins. Supprt fr the SHA256 algrithm is intrduced in NetScaler 11.0 Build 55.x. Supprts single-factr and tw-factr authenticatin. SAML must nt be cnfigured as the secndary authentica tin mechanism. Can encrypt assertins by using the public key f the SAML SP. This is recmmended when the assertin includes sensitive infrmatin. Supprt intrduced in NetScaler 11.0 Build 55.x.
Can be cnfigured t accept nly digitally signed requests frm the SAML SP. Supprt intrduced in NetScaler 11.0 Build 55.x Can lg n t the SAML IdP by using the fllwing 401-based authenticatin mechanisms: Negtiate, NTLM, and Certificate. Supprt intrduced in NetScaler 11.0 Build 55.x. Can be cnfigured t send 16 attributes in additin t the NameId attribute. The attributes must be extracted frm the apprpriate authenticatin server. Fr each f them, yu can specify the name, the expressin, the frmat, and a friendly name in the SAML IdP prfile. Supprt intrduced in NetScaler 11.0 Build 55.x. If the NetScaler appliance is cnfigured as a SAML IdP fr multiple SAML SP, a user can gain access t applicatins n the different SPs withut explicitly authenticating every time. The NetScaler appliance creates a sessin ckie fr the first authenticatin, and every subsequent request uses this ckie fr authenticatin. Supprt intrduced in NetScaler 11.0 Build 55.x. Can send multi-valued attributes in a SAML assertin. Supprt intrduced in NetScaler 11.0 Build 64.x. Supprts pst and redirect bindings. Supprt fr redirect bindings is intrduced in NetScaler 11.0 Build 64.x. Can specify the validity f a SAML assertin. If the system time n NetScaler SAML IdP and the peer SAML SP is nt in sync, the messages might get invalidated by either party. T avid such cases, yu can nw cnfigure the time duratin fr which the assertins will be valid. This duratin, called the "skew time," specifies the number f minutes fr which the message shuld be accepted. The skew time can be cnfigured n the SAML SP and the SAML IdP. Supprt intrduced in NetScaler 11.0 Build 64.x. Can be cnfigured t serve assertins nly t SAML SPs that are pre-cnfigured n r trusted by the IdP. Fr this cn figuratin, the SAML IdP must have the service prvider ID (r issuer name) f the relevant SAML SPs. Supprt intr duced in NetScaler 11.0 Build 64.x.
Cnfiguratin T setup NetScaler as an ADFS prxy, the fllwing features must be enabled in yur NetScaler system - Lad Balancing, Cntent Switching, SSL Offlading. Cnfiguring the NetScaler as an ADFS prxy invlves the fllwing steps: 1. Setup a cntent switching virtual server; this is the ADFS prxy VIP, the IP address fr this virtual server is the IP that will be used as the replacement fr the ADFS server IP. 2. Create fur lad balancing virtual servers: ne each fr active and passive authenticatin, ne fr metadata access and ne fr rewriting the request URL. 3. Create and bind the required cntent switching plicies t the CS vserver. These will cnsist f the fllwing: Tw plicies fr parsing active and passive authenticatin requests, with pre-authenticatin enabled/disabled (disabled if authenticatin is preferred at the ADFS server) One plicy fr parsing metadata requests, which are unauthenticated and have pre-authenticatin disabled. One plicy fr rewriting the request URL frm /adfs/services/trust t /adfs/services/trust/prxymex. 4. Create a AAA vserver, LDAP authenticatin and negtiate and sessin plicies fr authenticatin f requests at NetScaler and perfrming Kerbers impersnatin/kcd (Kerbers Cnstrained Delegatin) t the backend ADFS server. Fr mre infrmatin, refer t the deplyment guide fr the NetScaler ADFS prxy at https://www.citrix.cm/cntent/dam/citrix/en_us/dcuments/prducts-slutins/guide-t-deplying-netscaler-as-an-active-directry-federatin-services-prxy.pdf Packet Flw Packet flw fr the NetScaler as ADFS prxy with internal/external user access: 1. Internal/external user access t Office 365 is enabled by ADFS. 2. User is redirected t the applicable federatin service fr authenticatin. 3. User is redirected t the enterprise s internal federatin service. 4. Internal user is lad balanced t the ADFS farm. 5. External user cnnects t NetScaler AAA-TM lgn page. 6. User is authenticated against Active Directry r similar authenticatin service. 7. Pst authenticatin, NetScaler des SSO (Kerbers/NTLM) t the ADFS farm. 8. ADFS server validates SSO credentials and returns STS tken. 9. External user cnnects t the federatin service where the tken and claims are verified. 10. Based n validatin, the federatin service prvides the user with a new security tken. 11. External user prvides authrizatin ckie with security tken t the resurce fr access.
Benefits f using NetScaler as an ADFS Prxy 1. Caters t bth lad balancing and ADFS prxy needs 2. Wrks with bth internal and external user access scenaris 3. Supprts several methds fr pre-authenticatin and enables multi-factr authenticatin 4. Prvides an SSO experience fr end users 5. Supprts bth active and passive prtcls Examples f active prtcl apps Outlk, Lync 6. Examples f passive prtcl apps Outlk web app, brwsers 7. NetScaler is a hardened device fr DMZ-based deplyment 8. Adds value with additinal cre ADC features Cntent Switching SSL fflad Rewrite Respnder Rate Limit Security (AAA-TM, Gateway, Applicatin Firewall)
Abut Citrix Citrix (NASDAQ:CTXS) is a leader in mbile wrkspaces, prviding virtualizatin, mbility management, netwrking and clud services t enable new ways t wrk better. Citrix slutins pwer business mbility thrugh secure, persnal wrkspaces that prvide peple with instant access t apps, desktps, data and cmmunicatins n any device, ver any netwrk and clud. This year Citrix is celebrating 25 years f innvatin, making IT simpler and peple mre prductive. With annual revenue in 2013 f $2.9 billin, Citrix slutins are in use at mre than 330,000 rganizatins and by ver 100 millin users glbally. Learn mre at www.citrix.cm. Cpyright 2014 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler MPX, NetScaler SDX, NetScaler, CludBridge and AppFlw are trademarks f Citrix Systems, Inc. and/r ne f its subsidiaries, and may be registered in the U.S. and ther cuntries. Other prduct and cmpany names mentined herein may be trademarks f their respective cmpanies.